My favorites | Sign in
Project Home Downloads Wiki Issues Source
Search
for
Documentation  
General information, installation how-to, usage instructions and troubleshooting
Featured, Phase-Deploy, Phase-Support
Updated Feb 17, 2012 by kernc...@gmail.com





Licence

logkeys is dual licensed under the terms of either GNU GPLv3 or later (required by Google), or WTFPLv2 or later. Pick whichever you prefer!

Installation

If you have ever installed a Linux program from source, then you should have no trouble installing logkeys.

If you haven't installed from source yet, it is likely you are missing a C++ compiler installed. Before proceeding please ensure you have g++ and "similarly trivial tools" ready. 

$ sudo apt-get install g++    # to install g++ on a Debian-based OS

Proceed with 

$ tar xvzf logkeys-0.1.1a.tar.gz     # to extract the logkeys archive
 
$ cd logkeys-0.1.1a/build    # move to build directory to build there
$ ../configure               # invoke configure from parent directory
$ make                       # make compiles what it needs to compile
( become superuser now )     # you need root to install in system dir
$ make install               # installs binaries, manuals and scripts

If you run on any errors during configure stage, your machine must be in a very poor shape. Before installing please confirm that you have a 2.6 branch of Linux kernel, and standard command line utilities such as ps, grep, and especially dumpkeys.

logkeys relies on dumpkeys to output at least half correct keysym bindings. For this to be true, you have to set your console keymap. If you have keyboard correctly set to your language in X, verify that the same characters appear on a virtual terminal (Ctrl+Alt+Fn) also.

How to set console keymap?

logkeys also relies on en_US.UTF-8 locale being present on the system, or any other language using UTF-8. You can confirm you are using UTF-8 locale, if you say 

 $ locale -a
 C
 ...
 en_US.utf8
 ...
 $ locale
 LANG=en_US.UTF-8
 LC_CTYPE="en_US.UTF-8"
 ...
If locale -a does not return among others the result en_US.UTF-8 and if LC_CTYPE environmental variable doesn't contain UTF-8, then logkeys may not work correctly.

If that is the case use either locale-gen or install/reconfigure your distribution's locales package, and there include en_US.UTF-8. 

$ apropos locale

Usage how-to

logkeys is simple. You can either invoke it directly, by typing full command line, or use the provided scripts. There are two helper programs in this package:

  • bin/llk , which is intended to start the logkeys daemon, and
  • bin/llkk , which is intended to kill it.

bin/llk runs etc/logkeys-start.sh, and bin/llkk runs etc/logkeys-kill.sh.

You can use these two setuid root programs (llk and llkk) for starting and stopping the keylogger quickly and covertly. You can modify the two .sh scripts as you like. As the programs are installed with setuid bit set, the root password need not be provided at their runtime.

Default log file is /var/log/logkeys.log and is not readable by others.

I suggest you first test the program manually with 

 $ touch test.log
 $ logkeys --start --output test.log

and in the other terminal follow it with 

 $ tail --follow test.log

and see if the pressed keys match to those noted. If you use a US keyboard layout, use -u switch. Make sure your terminal character locale is set to UTF-8 

 $ locale
 LANG=xx_YY.UTF-8
 LC_CTYPE="xx_YY.UTF-8"
 ...

or alternatively, you need en_US.UTF-8 locale available on your system 

 $ locale -a
 ...
 en_US.UTF-8
 ...

otherwise you may only see odd characters (like ꑶ etc.) when pressing character keys.

logkeys acts as a daemon, and you stop the running logger process with 

 $ logkeys --kill

(or bin/llkk provided script).

Before using logkeys, please read the manual page first. 

 $ man logkeys

Autorun at system start

If you want logkeys to autorun when your OS boots, you have several options. You can edit /etc/rc.local (or /etc/rc.d/rc.local) file and add logkeys execution line before the final exit 0 call, e.g. 

#!/bin/sh -e
#
# rc.local
#
logkeys --start --keymap=/home/I/custom_key.map --output=/home/I/custom.log --device=event4
exit 0

Alternatively, you can put your custom "logkeys execution line" into etc/logkeys-start.sh file, and then use your desktop's "autorun manager" to run llk program, which will then execute said logkeys-start.sh script without prompting you for root/sudo password.

logkeys will automatically terminate on shutdown.

Troubleshooting

Empty log file or 'Couldn't determine keyboard device' error

After you run logkeys successfully, if you open the log file and see only the 'Logging started...' and 'Logging stopped...' tag without any keypress "contents," it is very likely that logkeys got your device id wrong.

This may also apply if you get the following error: 

  logkeys: Couldn't determine keyboard device. :/

The solution is to determine the correct event device id, and then run logkeys with --device (-d) switch, specifying that device manually.

The procedure for manually learning the device id to use is as follows:

As root, for each existing device eventX in /dev/input/, where X is a number between 0 and 31 inclusively, write: 

 $ cat /dev/input/eventX

then type some arbitrary characters. If you see any output, that is the device to be used. If you don't see any output, press Ctrl+C and continue with the next device.

If this happened to be your issue, please checkout the latest version from the SVN where keyboard recognition is relatively better implemented. If error persists, please add to bug report here, attaching your /proc/bus/input/devices file as well as specifying which was the correct event id. Thanks.

Logkeys outputs wrong characters

It is very likely that you will see only some characters recognized, without any hope for Shift and AltGr working even slightly correct, especially when starting logkeys in X. In that case it is better to switch to virtual terminal, e.g. tty4 (Ctrl+Alt+F4), and there execute: 

 $ logkeys --export-keymap=my_lang.map

Then open my_lang.map in UTF-8 enabled text editor and manually repair any missing or incorrectly determined mappings. Character keys are defined with two to three space-delimited characters per line (first without modifiers, second with shift, third with AltGr), and function keys are strings of at most 7 characters.

Make sure your customized keymap follows the logkeys keymap format specification!

From then on, execute logkeys with --keymap switch, e.g. 

 $ logkeys --start --keymap my_lang.map

Again, see if it now works correctly (and character keys appear correct when you are viewing the log file in editor), and opt to modify bin/llk starter script.

If you create full and completely valid keymap for your particular language, please upload it as a new issue or send it to me by e-mail. Thanks. Some languages may already have keymaps available.

Known bugs and limitations

Please report all found bugs on the issues tracking page.

Planned features (roadmap)

TODO file provided with release currently holds following demanded features:

  • Add support for sending logs via email.
  • Optionally log title of the focused window.
  • Capture clipboard contents.
  • Add support for mouse events (i.e. on mouse click the focus may have changed).
Depending on the amount of extra free time, these features shall be implemented in the foreseeable future.

If you have time on your hands and the required interest, you are welcome to hack at any of those or completely other features yourself.

Comment by cxl9261995@gmail.com, Jul 15, 2010

If you are running Debian/Ubuntu and logkeys returns weird keys in the log, despite locale returning all en_US's, the run this to fix it:

Debian: su -c 'dpkg-reconfigure console-data' Ubuntu: sudo dpkg-reconfigure console-setup

Comment by aguiler...@gmail.com, Aug 5, 2010

Running for US keyboards

logkeys --start --us-keymap

Autorun at system start

sudo gedit /etc/init.d/logkeys-start

Paste this in there

#!/bin/bash

sudo logkeys --start --us-keymap

and save it

Run this

sudo su

cd

cd /etc/init.d/

update-rc.d logkeys-start defaults

chmod +x /etc/init.d/logkeys-start

reboot That's it

The log file will be the one that is at

sudo nano /var/log/logkeys.log

Comment by wayoffba...@gmail.com, Sep 22, 2010

Works great on Ubuntu 10.04 LTS!

For automatic screenshots, I did the following.

For screenshots, ubuntu comes with the import command.

You need a script to run the screenshot command. 

sudo gedit /usr/local/bin/screen.sh

Add the following: 

#!/bin/bash  
DATE="`date '+%Y%m%d_%H_%M'`" 
export DISPLAY=:0 
/usr/bin/import -window root -resize 800 /var/log/ss/${DATE}.jpg

And save. I used /var/log/ss to store the screen shots. Adjust the resolution as needed.

Make the script executable 

sudo chmod +x /usr/local/bin/screen.sh

Make the ss dir: 

sudo mkdir /var/log/ss

Next you need to edit root's crontab to run this script however often. I set it for every two minutes.

Edit cron: 

sudo crontab -e

Note: Choose an editor, like nano if prompted.

Add the following to the cron (all on one line): 

0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58 * * * * /usr/local/bin/screen.sh

Save and exit and crontab will be updated. To check root's crontab run: 

sudo crontab -l

Now you need a script to clean up old screenshots, so you you don't fill up your harddrive -- it would take you a long time to do that though.

For this I added a cron.daily script, so it gets run once a day. I set it to delete any image files older than 30 days.

Create the clean up script: 

sudo gedit /etc/cron.daily/ss-clean

Add these lines to it: 

#!/bin/bash  
cd /var/log/ss 
find . -name '*jpg' -mtime +30 -exec /bin/rm {} \;

Save and exit

Make the script executable: 

sudo chmod uga+x /etc/cron.daily/ss-clean

Done

Now to view these files you must have root permission. I like to use the run command (alt-F2) and enter the following at the run prompt.

To see the Screen Shots: 

gksu nautilus /var/log/ss
Comment by jove...@gmail.com, Nov 8, 2010

My log file shows this?

<LShft>rack<LShft>$!$(

is it Rack$!$( as typed?

Comment by project member kernc...@gmail.com, Nov 8, 2010

No, I think had the user typed Rack, the log would say Rack.

Comment by djlexxy....@gmail.com, Dec 10, 2010

apparently my system is 'in very poor condition' because i DO run into errors at the initial installation. everything goes fine until i start the 'make install' command. what happens next, is this:

Making install in src

make1?: Entering directory `/home/michelle/Downloads/logkeys-0.1.1a/build/src'

make2?: Entering directory `/home/michelle/Downloads/logkeys-0.1.1a/build/src'

test -z "/usr/local/bin" || /bin/mkdir -p "/usr/local/bin"

/usr/bin/install -c logkeys llk llkk '/usr/local/bin'

/usr/bin/install: cannot create regular file `/usr/local/bin/logkeys': Permission denied

/usr/bin/install: cannot create regular file `/usr/local/bin/llk': Permission denied

/usr/bin/install: cannot create regular file `/usr/local/bin/llkk': Permission denied

make2?: [install-binPROGRAMS] Error 1

make2?: Leaving directory `/home/michelle/Downloads/logkeys-0.1.1a/build/src'

make1?: [install-am] Error 2

make1?: Leaving directory `/home/michelle/Downloads/logkeys-0.1.1a/build/src'

make: [install-recursive] Error 1

michelle@michelle-asus:~/Downloads/logkeys-0.1.1a/build$

being a newbie, i have no clue what's going wrong... any suggestions are much appreciated!

Comment by project member kernc...@gmail.com, Dec 11, 2010

in terminal, type

$ sudo make install

Comment by delon...@gmail.com, Dec 30, 2010

is it possible to run the screenshot command every time i click with my mouse and focus the screenshot just say 600x480 around tou mouse pointer?

Comment by auto24...@gmail.com, Feb 25, 2011

How would one use the http post feature? Is it possible to, say, upload the file to a Dropbox account or some other web service?

Comment by ByronSch...@gmail.com, Apr 21, 2011

Trying to make and every time i get the same error (tried w/ and w/o the sudo, as i am already root)

[root@cx-gtkeylog1 build]# pwd /root/logkeys-0.1.1a/build [root@cx-gtkeylog1 build]# ls config.h config.log config.status Makefile man scripts src stamp-h1 [root@cx-gtkeylog1 build]# [root@cx-gtkeylog1 build]# sudo make make all-recursive make1?: Entering directory `/root/logkeys-0.1.1a/build' Making all in src make2?: Entering directory `/root/logkeys-0.1.1a/build/src' g++ -DHAVE_CONFIG_H -I. -I../../src -I.. -Wall -O3 -DSYS_CONF_DIR=\"/usr/local/etc\" -MT logkeys.o -MD -MP -MF .deps/logkeys.Tpo -c -o logkeys.o ../../src/logkeys.cc In file included from ../../src/logkeys.cc:58: ../../src/args.cc:49:50: error: invalid suffix "b1" on integer constant ../../src/args.cc:50:50: error: invalid suffix "b10" on integer constant ../../src/args.cc:51:50: error: invalid suffix "b100" on integer constant ../../src/args.cc:52:50: error: invalid suffix "b1000" on integer constant ../../src/args.cc:53:50: error: invalid suffix "b10000" on integer constant ../../src/args.cc:54:50: error: invalid suffix "b100000" on integer constant ../../src/args.cc:76:16: error: invalid suffix "b1" on integer constant ../../src/args.cc:78:16: error: invalid suffix "b1000" on integer constant ../../src/args.cc:84:16: error: invalid suffix "b10000" on integer constant ../../src/args.cc:98:16: error: invalid suffix "b100000" on integer constant ../../src/logkeys.cc:370:37: error: invalid suffix "b1" on integer constant ../../src/logkeys.cc:384:51: error: invalid suffix "b1" on integer constant ../../src/logkeys.cc:388:61: error: invalid suffix "b1" on integer constant ../../src/logkeys.cc:393:23: error: invalid suffix "b1" on integer constant ../../src/logkeys.cc:459:20: error: invalid suffix "b100" on integer constant ../../src/logkeys.cc:523:27: error: invalid suffix "b10" on integer constant ../../src/logkeys.cc:537:26: error: invalid suffix "b100" on integer constant ../../src/logkeys.cc:577:28: error: invalid suffix "b10" on integer constant make2?: [logkeys.o] Error 1 make2?: Leaving directory `/root/logkeys-0.1.1a/build/src' make1?: [all-recursive] Error 1 make1?: Leaving directory `/root/logkeys-0.1.1a/build' make: all? Error 2

i'm new to linux/redhat, really a unix user, any suggestions would be great, thanks!

Comment by ByronSch...@gmail.com, Apr 21, 2011
Comment by chezas...@gmail.com, Jul 3, 2011

this is more of a question. I have had a lot of problems with malicious keyloggers. Is there any way to detect a keylogger on a Knoppix instalation?

Help is really appreciated! Yours, josh Denton chezashua@gmail.com

Comment by tarek.t...@gmail.com, Sep 13, 2011

I am trying it with Fedora 15 but without any luck, I keep on getting empty log file, even when I specify the /input/eventX manually, any idea what can be the cause ?

Comment by pepitoe, Sep 19, 2011

I seem to have the same issue on Fedora 15, Logskeys seems to run without any obvious error but nothing gets logged.

Comment by Winic...@gmail.com, Oct 7, 2011

Fedora 15 here. My log file is also empty. There is no sign of the program executing.

Comment by Winic...@gmail.com, Oct 7, 2011

Don't compile the beta logkeys on Fedora 15, use the stable version. Then add these two lines to logkeys-0.1.0/src/logkeys.cc near the #include section:

#include <sys/types.h> #include <sys/stat.h>

Then compile as you normally would.

Comment by tarek.t...@gmail.com, Oct 8, 2011

followed us instructions Wininc for Fedora15, but it seems that it only works if u add the -u option, otherwise it will just freeze

Comment by onehappy...@gmail.com, Dec 20, 2011

install location? I downloaded to my home folder, then had no problems with the install and make in the home folder. but it's not creating /var/log/logkeys.log file. did I install in the wrong location? how do I get the logkeys.log file to create?

Comment by richard....@btinternet.com, Dec 28, 2011

I created the file using sudo nautilus as it did not create itself, worked OK.

Comment by aru...@gmail.com, Apr 1, 2012

thanks Wininc and tarek.t.. got it working with both ur suggestions..

Comment by atilla.k...@gmail.com, Apr 26, 2012

I noticed that it doesn't record on screen keyboard entries, how can I set it?

Comment by project member kernc...@gmail.com, Apr 26, 2012

Ummm... that's not how it works. :)

Comment by andres.f...@gmail.com, May 13, 2012

I used this map in ubuntu 12.04 with a US keyboard

<Esc> 1 ! 1 2 @ 3 # 4 $ 5 % 6 ^ 7 & 8 9 ( 9 0 ) 0 -

+

<BckSp> <Tab> q Q w W e E r R t T y Y u U i I o O p P [ { ] } <Enter> <LCtrl> a A s S d D f F g G h H j J k K l L ; : ; ' " ` ~ <LShft> \ | z Z x X c C v V b B n N m M , < , . > / ? <RShft> <KP> <LAlt> <CpsLk> <F1> <F2> <F3> <F4> <F5> <F6> <F7> <F8> <F9> <F10> <NumLk> <ScrLk> <KP7> <KP8> <KP9> <KP-> <KP4> <KP5> <KP6> <KP+> <KP1> <KP2> <KP3> <KP0> <KP.> Ĉ <F11> <F12> <KPEnt> <RCtrl> <KP/> <PrtSc> <AltGr> <Break> <Home> <Up> <PgUp> <Left> <Right> <End> <Down> <PgDn> <Ins> <Del> <Pause> <LMeta> <RMeta> <Menu>

Comment by james.se...@gmail.com, May 15, 2012

Use this "/2 /usr/local/bin/screen.sh" instead of this "0,2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,46,48,50,52,54,56,58 /usr/local/bin/screen.sh"

You can also swap the 2 out for another number. i.e. 5 for every 5 minutes.


Sign in to add a comment
Powered by Google Project Hosting